Update Export File Format wrt Media Signing

doc/ExportFileFormat.xml

@@ -251,7 +251,7 @@
     <section>
       <title>Use case 2: Forensic analysis at court</title>
       <para>A court receives video clips from a grocery store, a street surveillance system and a metro operator. All three videos are shown in the court’s approved video player.</para>
-      <para>The judges want to see the suspect in all three video clips with exact time information. They also want to have information when the video clips have been exported and whether the video sequence is complete and authentic.</para>
+      <para>The judges want to see the suspect in all three video clips with exact time information. They also want to have information when the video clips have been exported and whether the video sequence is complete and authentic. Further, they preferably also want to validate the videos authenticity and provenance using ONVIF Media Signing.</para>
     </section>
     <section>
       <title>Use case 3: Playback at players not equipped according to the present specification</title>
@@ -260,6 +260,79 @@
   </chapter>
   <chapter>
     <title>Export Format</title>
+    <section>
+      <title>Requirements to Preserve Media Signing</title>
+      <para>
+        This checklist captures the essence for preserving the authenticity of ONVIF Media Signing
+        (OMS) when handling streams and exporting to MP4. Following these rules ensures that signature
+        verification remains intact and that tamper‐evident evidence can be trusted.
+      </para>
+      <section>
+        <title>Core Rules and Bitstream Requirements</title>
+        <para>
+          <emphasis role="bold">No re-encoding</emphasis>
+        </para>
+        <para>Never transcode or recompress OMS. Use pure remuxing (<literal>-c copy</literal> in
+          ffmpeg) to change containers.</para>
+        <para>
+          <emphasis role="bold">Preserve NAL order and bytes</emphasis>
+        </para>
+        <para>Do not filter, rewrite or normalise the bitstream. The raw order of NAL units is
+          critical.</para>
+        <para>
+          <emphasis role="bold">Keep OMS SEI NAL units</emphasis>
+        </para>
+        <para>ONVIF Media Signing transmits signature information in SEI (Supplemental Enhancement
+          Information) frames of type <literal>user data unregistered</literal> within the codec
+          format (H.264 and H.265). These SEI frames do not affect the video frame decoding. The
+          standard ISO/IEC 14496-12 provides the user an option to remove these when creating an MP4
+          file. <emphasis role="bold">Never strip these.</emphasis></para>
+        <para>
+          <emphasis role="bold">Add OMS Certificate SEI NAL unit if present</emphasis>
+        </para>
+        <para>The device has the option to add a Certificate SEI at the beginning of a stream. This
+          SEI includes all necessary information to validate later SEIs. If the stream from the
+          device had a Certificate SEI, that SEI shall be added to the first access unit of the
+          exported recording.</para>
+        <para>
+          <emphasis role="bold">Treat the video elementary stream as immutable</emphasis>
+        </para>
+        <para>
+          <itemizedlist>
+          <listitem><para>Keep all SPS/PPS/VPS, access unit delimiter (AUD), prefix/suffix SEI and
+            slice NALs in their original order.</para></listitem>
+          <listitem><para>Do not change frame rate, timescale, timebase or GOP structure. Avoid
+            frame duplication, dropping, de‑interlacing or timestamp “cleanup”.</para></listitem>
+          <listitem><para>For SEI preservation: In H.264 the SEI NAL type is 6; in HEVC, SEI
+            prefix/suffix types are 39/40. These must stay attached to the same access units they
+            originally accompanied. Do not convert or regroup SEIs (e.g., never swap HEVC prefix and
+            suffix).</para></listitem>
+          <listitem><para>Avoid bitstream filters. Only use a filter when absolutely certain it will
+            not modify or remove SEIs. Never run “cleaning” filters that remove private SEIs.</para>
+          </listitem>
+          </itemizedlist>
+        </para>
+      </section>
+      <section>
+        <title>Recommendations</title>
+        <para>
+          Validate before and after File Export. Run OMS validation on the original source and again
+          on the exported MP4 to confirm integrity.
+        </para>
+        <para>
+          A simpler test is to only verify that the MP4 file has SEIs present after export. Below is
+          an ffmpeg command for that.
+          <programlisting><![CDATA[ffmpeg -i outSigned.mp4 -c copy -bsf:v trace_headers -f null - 2>&1 | grep -i sei]]></programlisting>
+        </para>
+        <para>
+          <emphasis role="bold">Cut at signature‑safe boundaries</emphasis>
+        </para>
+        <para>Trim at SEIs. There will always be a "dangling end" of the exported file, that is,
+          frames that cannot be validated since the associated SEI is not present in the exported
+          recording. To minimize the "dangling end", trim at frames with a signed SEI (inclusive),
+          that is, a SEI with a signature.</para>
+      </section>
+    </section>
     <section>
       <title>Required Side Information</title>
       <para>
@@ -345,6 +418,7 @@ class SurveillanceExportBox
     string  	SourceURL;
     string  	SourceMAC;
     string  	SourceLine;
+    UInt(8)  	SourceSigned;
   }
 }
 ]]></programlisting>
@@ -358,6 +432,8 @@ class SurveillanceExportBox
         <literal>ExportUnitTime </literal>is an integer that provides date and time designation as defined in ISO/IEC 14496-12 of when the export operation has been started.</para>
       <para>
         <literal>entry_count </literal>is an integer that provides the number of tracks.</para>
+      <para>
+        <literal>SourceSigned </literal>is an integer that provides '1' if the track is signed with ONVIF Media Signing.</para>
     </section>
     <section>
       <title>Timing</title>

doc/MediaSigning.xml

@@ -1282,10 +1282,12 @@
       <title>Minimum requirements for client handling of a signed video stream</title>
       <para>Attached to an AU of a signed video stream may be a certificate SEI
         including all information that is only sent once; The certificate SEI bit is set.
-        This SEI should be stored for later use. Further, when exporting a video segment to file,
-        this certificate SEI shall be added to the first AU of that recording.</para>
-      <para>The client shall not remove any SEI-frames from the stream. It is possible to move
-        them to the AU including the I-frame of the following GOP the particular SEI did sign.</para>
+        This SEI shall be stored for later use. Further, when exporting a video segment to
+        file, this certificate SEI shall be added to the first AU of that recording.</para>
+      <para>The client shall not remove any SEI-frames from the stream. It is possible to
+        move a signed SEI to the first AU not included in the associated (partial) GOP.</para>
+      <para>The client shall make sure that the SEIs are not removed when exporting to an
+        MP4 file. For a full list of requirements; See the ExportFileFormat specification.</para>
     </section>
     <section xml:id="section_ajs_njq_bwb">
       <title>Client side validation</title>